Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014
Outline • Network security characteristics and threats • Denial of service attacks • Traffic control mechanisms • Firewalls • Encryption for network security & VPNs • Wireless security • Honeypots and honeynets Lecture 9 Page 2 CS 136, Fall 2014
Some Important Network Characteristics for Security • Degree of locality • Media used • Protocols used Lecture 9 Page 3 CS 136, Fall 2014
Degree of Locality • Some networks are very local – E.g., an Ethernet – Benefits from: • Physical locality • Small number of users and machines • Common goals and interests • Other networks are very non-local – E.g., the Internet backbone – Many users/sites share bandwidth Lecture 9 Page 4 CS 136, Fall 2014
Network Media • Some networks are wires, cables, or over telephone lines – Can be physically protected • Other networks are satellite links or other radio links – Physical protection possibilities more limited Lecture 9 Page 5 CS 136, Fall 2014
Protocol Types • TCP/IP is the most used – But it only specifies some common intermediate levels – Other protocols exist above and below it • In places, other protocols replace TCP/IP • And there are lots of supporting protocols – Routing protocols, naming and directory protocols, network management protocols – And security protocols (IPSec, ssh, ssl) Lecture 9 Page 6 CS 136, Fall 2014
Implications of Protocol Type • The protocol defines a set of rules that will always be followed – But usually not quite complete – And they assume everyone is at least trying to play by the rules – What if they don’t? • Specific attacks exist against specific protocols Lecture 9 Page 7 CS 136, Fall 2014
Threats To Networks • Wiretapping • Impersonation • Attacks on message – Confidentiality – Integrity • Denial of service attacks Lecture 9 Page 8 CS 136, Fall 2014
Wiretapping • Passive wiretapping is listening in illicitly on conversations • Active wiretapping is injecting traffic illicitly • Packet sniffers can listen to all traffic on a broadcast medium – Ethernet or 802.11, e.g. • Wiretapping on wireless often just a matter of putting up an antenna Lecture 9 Page 9 CS 136, Fall 2014
Impersonation • A packet comes in over the network – With some source indicated in its header • Often, the action to be taken with the packet depends on the source • But attackers may be able to create packets with false sources Lecture 9 Page 10 CS 136, Fall 2014
Violations of Message Confidentiality • Other problems can cause messages to be inappropriately divulged • Misdelivery can send a message to the wrong place – Clever attackers can make it happen • Message can be read at an intermediate gateway or a router • Sometimes an intruder can get useful information just by traffic analysis Lecture 9 Page 11 CS 136, Fall 2014
Message Integrity • Even if the attacker can’t create the packets he wants, sometimes he can alter proper packets • To change the effect of what they will do • Typically requires access to part of the path message takes Lecture 9 Page 12 CS 136, Fall 2014
Denial of Service • Attacks that prevent legitimate users from doing their work • By flooding the network • Or corrupting routing tables • Or flooding routers • Or destroying key packets Lecture 9 Page 13 CS 136, Fall 2014
How Do Denial of Service Attacks Occur? • Basically, the attacker injects some form of traffic • Most current networks aren’t built to throttle uncooperative parties very well • All-inclusive nature of the Internet makes basic access trivial • Universality of IP makes reaching most of the network easy Lecture 9 Page 14 CS 136, Fall 2014
An Example: SYN Flood • Based on vulnerability in TCP • Attacker uses initial request/response to start TCP session to fill a table at the server • Preventing new real TCP sessions • SYN cookies and firewalls with massive tables are possible defenses Lecture 9 Page 15 CS 136, Fall 2014
Normal SYN Behavior SYN SYN/ACK ACK Table of open TCP connections Lecture 9 Page 16 CS 136, Fall 2014
A SYN Flood SYN SYN SYN SYN SYN/ACK SYN/ACK SYN/ACK SYN/ACK Server can’t Table of open fill request! TCP connections Lecture 9 Page 17 CS 136, Fall 2014
And no changes KEY POINT: to TCP protocol Server doesn’t SYN Cookies itself need to save SYN/ACK number is cookie value! Client IP address & port, server’s secret function of IP address and various information port, and a timer No room in the table, so send back a SYN cookie, instead Server recalculates cookie to determine if proper response Lecture 9 Page 18 CS 136, Fall 2014
General Network Denial of Service Attacks • Need not tickle any particular vulnerability • Can achieve success by mere volume of packets • If more packets sent than can be handled by target, service is denied • A hard problem to solve Lecture 9 Page 19 CS 136, Fall 2014
Distributed Denial of Service Attacks • Goal: Prevent a network site from doing its normal business • Method: overwhelm the site with attack traffic • Response: ? Lecture 9 Page 20 CS 136, Fall 2014
The Problem Lecture 9 Page 21 CS 136, Fall 2014
Why Are These Attacks Made? • Generally to annoy • Sometimes for extortion • Sometimes to prevent adversary from doing something important • If directed at infrastructure, might cripple parts of Internet Lecture 9 Page 22 CS 136, Fall 2014
Attack Methods • Pure flooding – Of network connection – Or of upstream network • Overwhelm some other resource – SYN flood – CPU resources – Memory resources – Application level resource • Direct or reflection Lecture 9 Page 23 CS 136, Fall 2014
Why “Distributed”? • Targets are often highly provisioned servers • A single machine usually cannot overwhelm such a server • So harness multiple machines to do so • Also makes defenses harder Lecture 9 Page 24 CS 136, Fall 2014
How to Defend? • A vital characteristic: – Don’t just stop a flood – ENSURE SERVICE TO LEGITIMATE CLIENTS!!! • If you deliver a manageable amount of garbage, you haven’t solved the problem • Nor have you if you prevent a flood by dropping all packets Lecture 9 Page 25 CS 136, Fall 2014
Complicating Factors • High availability of compromised machines – Millions of zombie machines out there • Internet is designed to deliver traffic – Regardless of its value • IP spoofing allows easy hiding • Distributed nature makes legal approaches hard • Attacker can choose all aspects of his attack packets – Can be a lot like good ones Lecture 9 Page 26 CS 136, Fall 2014
Basic Defense Approaches • Overprovisioning • Dynamic increases in provisioning • Hiding • Tracking attackers • Legal approaches • Reducing volume of attack • None of these are totally effective Lecture 9 Page 27 CS 136, Fall 2014
Traffic Control Mechanisms • Filtering – Source address filtering – Other forms of filtering • Rate limits • Protection against traffic analysis – Padding – Routing control Lecture 9 Page 28 CS 136, Fall 2014
Source Address Filtering • Filtering out some packets because of their source address value – Usually because you believe their source address is spoofed • Often called ingress filtering – Or egress filtering . . . Lecture 9 Page 29 CS 136, Fall 2014
Source Address Filtering for Address Assurance • Router “knows” what network it sits in front of – In particular, knows IP addresses of machines there • Filter outgoing packets with source addresses not in that range • Prevents your users from spoofing other nodes’ addresses – But not from spoofing each other’s Lecture 9 Page 30 CS 136, Fall 2014
Source Address Filtering Example 95.113.27.12 56.29.138.2 My network shouldn’t be creating packets with this source address So drop the packet 128.171.192.* Lecture 9 Page 31 CS 136, Fall 2014
Source Address Filtering in the Other Direction • Often called egress filtering – Or ingress filtering . . . • Occurs as packets leave the Internet and enter a border router – On way to that router’s network • What addresses shouldn’t be coming into your local network? Lecture 9 Page 32 CS 136, Fall 2014
Filtering Incoming Packets 128.171.192.5 128.171.192.7 Packets with this source address should be going out, not coming in So drop the packet 128.171.192.* Lecture 9 Page 33 CS 136, Fall 2014
Other Forms of Filtering • One can filter on things other than source address – Such as worm signatures, unknown protocol identifiers, etc. • Also, there are unallocated IP addresses in IPv4 space – Can filter for packets going to or coming from those addresses • Some source addresses for local use only – Internet routers can drop packets to/from them Lecture 9 Page 34 CS 136, Fall 2014
Recommend
More recommend